.TH "n2n_v3" 7 "Sep 27, 2021" "version 3" "Background"
.SH NAME
n2n version 3 \- version 3 of the n2n decentralised peer-to-peer network overlay
VPN.
.SH DESCRIPTION
n2n is a peer-to-peer network overlay or VPN system that provides layer 2 over
layer 3 encapsulation with data transform capabilities such as encryption and
compression. This guide also discusses the differences of version 3 of n2n from
version 2.
.SH PROTOCOLS
n2n-3 basically uses the same set of messages to communicate with edges and
supernodes. However, due to slight packet format changes, the n2n-3 messages
are not compatible with n2n-2. There is no backward compatibility for n2n-2.
.SH ENCRYPTION
n2n-3 offers four different ciphers for payload encryption as well as optional
header encryption. Earlier versions of n2n-2 provided a mechanism using a key
schedule which has been removed in n2n-3. A basic user authentication scheme
relying on asymmetric cryptography has been added to n2n-3.

n2n-3 provides the following ciphers to chose from for payload encryption; more
can be added as required:
.TP
.B (1) NULL
Data is encapsulated unchanged. Useful for testing and high-performance, low
sensitivity applications.
.TP
.B (2) TF-CTS
Twofish AES candidate in CTS mode.
.TP
.B (3) AES-CTS
AES in CTS mode with up to 256-bit key.
.TP
.B (4) CHACHA20
ChaCha20, a well known stream cipher developped by Daniel J. Bernstein.
.TP
.B (5) SPECK-CTR
A fast block cipher developped by the NSA used as stream cipher in CTR mode.
.TP
Full Header Encyption
The optional full header encryption also encrypts packets' header which include
some administrative data. In addition, it adds replay protection.
.TP
User Password Authentication
n2n-3 implements an optional user-password authentication scheme. A key
generator assists in generating user's public keys to be stored at the
supernode side.
.SH COMPRESSION
LZO for payload compression is an always available option at n2n-3. If compiled with
zstdlib support, ZSTD is at optional service as well.
.SH EXTENSIBILITY
n2n-3 decouples the data transform system from the core of the edge
operation. This allows for easier addition of new data transform
operations. n2n-3 reserves some standard transform identifiers (such as TwoFish
encryption) but allocates transform identifiers for user-defined
transforms. This allows anyone to add to n2n new private transforms without
breaking compatibility with the standard offering.
.SH FEDERATED SUPERNODES
n2n-3 incorporates the capability of multiple supernodes to be federated.
Federation acts transparently and balances the workload evenly among the
federated supernodes. Supernodes keep track of edges connected to different
supernodes and forward packets as required. This feature naturally supports
fail-over and this increases redundancy and resilience.
.P
Information on additional supernodes is propagated to all edges. In addition,
the n2n-3 edge implementation allows multiple supernodes to be specified on the
command line. Edges monitor the current supernode for responses to
REGISTER_SUPER as well as PING messages. After three responses from current
supernode are missed or when a better supernode in terms of significant lower workload
is found, the edge tries to connect to another supernode. It cycles through the list
f supernodes which over and over again is sorted according to reported workload.

.SH MANAGEMENT CONSOLE
Edge and supernode in n2n-3 provide a UDP-based management console. Both listen
on the localhost address 127.0.0.1. Commands can be sent to the programs by
sending to the UDP socket. Responses are returned to the socket from which
commands were issued. This only works from the computer on which the programs
are running. Statistics can be retrieved and commands issued. The netcat utility
is all that is required; but more sophisticated tools could be built on the
interface.

.SH SUPERNODE AUTHENTICATION
The supernode federation name serves as private key shared between the supernodes only.
The corresponding public key can be provided to the edges.

.SH MESSAGE SUMMARY
The following message types work within n2n-3.
.TP
REGISTER_SUPER
Sent from an edge to its local supernode to register its MAC with the community.
Also, federated supernodes use this packet format to register to each other.
.TP
REGISTER_SUPER_ACK
Sent from a supernode to an edge to confirm registration. This also carries the
definition of the edge socket as seen at the supernode so NAT can be detected
and described. Furthermore, it carries information about additional federated
supernodes.
.TP
REGISTER_SUPER_NAK
Supernode refusing to register an edge.
.TP
PACKET
Encapsulated ethernet packets sent between edges. Supernodes forward or
broadcast these and edges send them direct in peer-to-peer mode.
.TP
REGISTER
A peer-to-peer mode registration request from one edge to another. Supernodes
forward these to facilitate NAT crossing introductions.
.TP
REGISTER_ACK
Complete peer-to-peer mode setup between two edges. These messages need to
travel direct between edges.
.TP
QUERY_PEER
Queries a supernode about another edge, especially its public socket in case of
no peer-to-peer communication can be established. Additionally, it serves as PING
to query supernodes about themselves.
.TP
PEER_INFO
Answers the QUERY_PEER; it also covers the special case of the PING query, internally
called PONG.
.SH AUTHORS
.TP
Richard Andrews andrews (at) ntop.org - main author of n2n-2
.TP
Luca Deri
deri (at) ntop.org - code inherited from n2n-1
.SH SEE ALSO
ifconfig(8) edge(8) supernode(1)
.br
the documentation contained in the source code
.br
the extensive documentation found in n2n's \fBdoc/\fR folder
